API exposure
- Public API routes
- Unexpected admin/internal endpoints
- Unauthenticated sensitive route signals
- Route inventory and provenance
Public API security review
Public API Security Review for SaaS, OpenAPI and GraphQL surfaces
An authorised no-login review of your approved public API surface, OpenAPI/Swagger docs, GraphQL endpoints, webhook routes, CORS, headers and exposed route signals — with evidence-backed findings, practical fixes and retest proof.
Authorised scope only
Human-reviewed findings
No-login V2 by default
Retest proof available
What this review checks
Approved public API exposure, evidence and limits.
The review uses approved scope, public evidence and route hints where available. It is designed to show what is visible without credentials and what cannot be proven without a deeper written scope.
OpenAPI / GraphQL
- Public OpenAPI/Swagger docs
- GraphQL endpoint visibility
- Schema/introspection signals where safely observable
- Sensitive operation hints
Web posture
- Security headers
- TLS/HTTPS posture
- CORS
- Cookies
- HTTP methods
- Cache, rate and body-size signals where evidenced
Evidence coverage
- Crawler-discovered routes
- Scope route hints
- Static route hints where provided
- OpenAPI route hints
- Positive controls
- Limitations
What no-login API review can prove
A no-login review is strongest at public exposure, route visibility, public documentation and observable boundary signals.
Public exposure
Whether approved public routes, docs and endpoints are visible without login.
Unauthenticated behaviour
How public endpoints respond to safe, non-destructive requests in the agreed scope.
API documentation exposure
Whether OpenAPI, Swagger or GraphQL surfaces disclose useful route and operation hints.
Boundary signals
Headers, CORS, methods, TLS and webhook/API route signals that can be observed safely.
What it cannot prove
The limitations are explicit. Credentialed V3 testing requires separate written approval and test accounts.
IDOR resistance
It cannot fully prove user A cannot access user B data without credentialed role testing.
Role boundaries
It cannot fully test logged-in permissions, account roles or tenant separation.
Business logic
It cannot validate private workflows, state changes or role-specific API behaviour.
Credentialed paths
API-key, session and account testing needs separate written approval and test accounts.
Example finding
Example finding — sample evidence format
Example only. Real findings depend on approved scope and evidence.
Issue
Public Swagger document exposed sensitive API routes
Risk
Medium / High depending on exposed operations
Evidence
GET /swagger.json returned 200 and listed admin/payment/export-like paths.
Why it matters
Public API documentation can help attackers or automated tools understand routes, operations and integration surfaces faster.
Recommended fix
Restrict API documentation in production, remove sensitive operations from public docs, or require appropriate access controls.
Retest
Recheck the approved route and confirm public access is blocked or limited.
What you receive
The report is built for owners, agencies and technical teams that need evidence, not vague scan output.
Executive summary
What was reviewed, what matters, and where to start.
Evidence-backed findings
Screenshots, responses, route notes and redacted proof where available.
Positive controls
Controls that behaved correctly, not only things that failed.
API route coverage notes
What was crawler-discovered, hinted, provided or unavailable.
Limitations
No-login and evidence limits stated clearly.
Practical fixes
Developer-ready next steps without vague severity theatre.
Retest proof
Before/after verification when fixes are in scope.
Handoff-ready report
Plain-English structure for owners, agencies and technical teams.
Pricing and scope
Same Security Snapshot packages. API-specific evidence.
Prices are unchanged. Review work starts only after written scope and authorisation are confirmed.
Launch Snapshot
£495
One approved website, store or API surface with evidence-backed findings and limitations.
Standard Snapshot
£895
Fuller evidence pack for approved API/web surfaces, route hints and fix handoff.
Snapshot + Retest
£1,250
Security Snapshot plus focused verification after fixes are deployed.
Retest only
£195
For agreed findings with a focused fix-verification target.
Hardening Sprint
From £1,500
Scoped implementation support once findings are clear.
Monthly Managed Review
£295/month
A managed rerun and human-reviewed exposure delta later.
FAQ
Public API Security Review is no-login by default. Deeper API-key or role testing is separate.
Do you need API keys or logins?
No for the default review. Public API Security Review is no-login by default. Credentialed/API-key/role testing requires separate written approval, test accounts and a tighter scope.
Is this a full API pentest?
No. It is an authorised no-login public API security review with evidence-backed findings and limitations. It is not a full penetration test, certification or guarantee of security.
Can you test GraphQL?
Yes, where the GraphQL endpoint is approved and safely observable. Schema, introspection and operation exposure are reviewed only within the agreed public scope.
Can you review OpenAPI or Swagger?
Yes. Public OpenAPI/Swagger docs and client-provided approved route hints can improve coverage and make limitations clearer.
What can a no-login API review find?
It can find public exposure, public documentation, route hints, unsafe CORS/method/header signals, webhook/API route exposure and obvious boundary signals visible without credentials.
What can it not prove?
It cannot fully prove IDOR resistance, tenant separation, role boundaries or logged-in business logic. Those require credentialed testing with written approval and test accounts.
Can you retest after fixes?
Yes. Retest proof can recheck agreed routes, docs, headers or exposure signals after fixes are deployed.
Can agencies use this before client handoff?
Yes. It works well as a no-login evidence pass before launch, client handoff or remediation planning, as long as the agency has written authority for the target.
Need evidence for your public API surface?
Start with an authorised no-login review. If API-key, role or tenant testing is needed, scope it separately with test accounts and written approval.
Authorised testing only. No destructive actions. No credential attacks.
Public API Security Review is an authorised external security review. It is not a penetration test, Cyber Essentials assessment, PCI ASV scan, legal opinion or certification. Findings reflect the agreed scope and test window only. Security improvements reduce risk; they do not guarantee the absence of compromise.